Hi Paul,
As far as I can see the following are the things that should be updated:
1) Drop the instruction about changing the Windows registry, and add an
instruction to use and administrative PowerShell and
Set-VpnConnectionIPsecConfiguration to solve the issue of the Windows
default weak cip
Hi Alex,
I see you managed to get a connection up.
I think I still see some issues in the log though, but I won't repeat
myself since it is all in my previous posts.
Good luck!
On 12/31/2020 8:14 PM, Alex wrote:
Hi Manfred,
I got it to work subsequent to your email. I'll explain how I got i
Hi,
> Dec 31 13:53:06.342990: "ikev2-cp"[1] 172.58.239.44 #1: certificate
> verified OK: O=Example,CN=win10client.example.com
> Dec 31 13:53:06.343028: "ikev2-cp"[1] 172.58.239.44 #1: certificate
> subjectAltName extension does not match ID_IPV4_ADDR '172.58.239.44'
> Dec 31 13:53:06.343035: "ikev
On Dec 31, 2020, at 14:14, Alex wrote:
>
>
> Can we add some of this to the wiki so someone else doesn't have to go
> through all of this? There's no way the wiki entry would work as it is
> currently.
>
> I also want to experiment a bit more with the add/set-vpnconnection
> commands - it seem
Hi Manfred,
I got it to work subsequent to your email. I'll explain how I got it
to work, but my next issue is with DHCP.
> OK, so phase 1 passes.
> However, it still looks like Windows is sending multiple proposals,
> while when using Set-VpnConnectionIPsecConfiguration I think only one
> should
Hi,
On 12/31/2020 4:14 AM, Alex wrote:
Hi,
certutil -S -c "Example CA" -n "win10client.example.com" \
-s "O=Example,CN=win10client.example.com" -k rsa \
-g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8
"win10client.example.com"
I see that the options -1 and -6 have no a
Hi,
> > certutil -S -c "Example CA" -n "win10client.example.com" \
> > -s "O=Example,CN=win10client.example.com" -k rsa \
> > -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8
> > "win10client.example.com"
>
> I see that the options -1 and -6 have no argument. Apparently this
>
On 12/31/2020 2:52 AM, Manfred wrote:
Hi,
[...]
Do you mean the internal 192.168.1.1 address, so it's on the same
network as the Windows PC at 192.168.1.35? Eventually I'll need to do
this over the Internet, of course...
If 192.168.1.1 is the local IP address of the libreswan host[*], I'
Hi,
On 12/31/2020 1:18 AM, Alex wrote:
Hi,
Referring to that example:
leftcert=vpn.example.com
Here "vpn.example.com" must match the nickname of the server certificate
in the NSS database, which you created with certutil. This is how
libreswan knows which certificate to send to the clie
On Dec 30, 2020, at 19:18, Alex wrote:
>
>
>
> So I want to do something like this with certutil?
>
> --extSAN type:name[,type:name]...
> Create a Subject Alt Name extension with one or multiple names.
>
> -type: directory, dn, dns, edi, ediparty, email, ip,
> ipadd
Hi,
> Referring to that example:
>
> leftcert=vpn.example.com
> Here "vpn.example.com" must match the nickname of the server certificate
> in the NSS database, which you created with certutil. This is how
> libreswan knows which certificate to send to the client for server
> authentication.
>
Hi,
On 12/30/2020 3:25 AM, Alex wrote:
Hi,
[...]
I've gotten past that NO_PROPOSAL_CHOSEN error, or at least it's not
producing it anymore.
Are the references to 'vpn.example.com' just labels, or is it a host
that has to resolve to an IP?
https://libreswan.org/wiki/VPN_server_for_remote_cli
Hi,
> > Now Windows is saying "IKE failed to find valid machine certificate.
> > install a valid certificate" but I've rebuilt the entire thing,
> > deleted the old certs and inserted a new pk12 cert as I've done
> > before. This strongswan post appears to indicate that "Maybe Windows
> > wan
On Dec 29, 2020, at 21:25, Alex wrote:
>
>
> This is fedora32. It appears the NSS database is physically in
> /var/lib/ipsec/nss while the certificates I've been creating are
> stored in /etc/ipsec.d/*.db. What's the difference?
The /etc one is the old location. Libreswan on fedora is compiled
Hi,
> >> How can I tell what type of cert I'm using?
> >
> > openssl x509 -noout -text -in /your/cert.pem
>
> If you used certutil to generate the certificate directly inside the NSS
> database, you may have to export first, or use something like:
>
> certutil -L -d sql:/etc/ipsec.d -n your_ce
On 12/29/2020 4:31 AM, Paul Wouters wrote:
On Mon, 28 Dec 2020, Alex wrote:
How can I tell what type of cert I'm using?
openssl x509 -noout -text -in /your/cert.pem
If you used certutil to generate the certificate directly inside the NSS
database, you may have to export first, or use som
On Mon, 28 Dec 2020, Alex wrote:
How can I tell what type of cert I'm using?
openssl x509 -noout -text -in /your/cert.pem
Based on the strongswan page, I've added the following:
ike=aes256-sha384-prfsha384-modp2048
esp=aes256gcm16-modp2048
strongswan is not fullt compatible with libresw
Hi,
> >>> I've also added the "NegotiateDH2048_AES256" DWORD as per this doc:
> >>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
> >>
> >> Instead of tweaking the registry, you might rather use the Windows
> >> Powershell, and specifically Set-VpnConnectionIPsecConfiguratio
On Dec 26, 2020, at 14:28, Manfred wrote:
>
>
> This is the command I've now tried to use, unsuccessfully:
>> Set-VpnConnectionIPsecConfiguration -ConnectionName "ikev2-cp"
>> -AuthenticationTransformConstants SHA256128 -CipherTransformConstants
>> AES256 -EncryptionMethod AES256 -IntegrityChec
Hi,
On 12/26/2020 3:51 AM, Alex wrote:
Hi,
I've also added the "NegotiateDH2048_AES256" DWORD as per this doc:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
Instead of tweaking the registry, you might rather use the Windows
Powershell, and specifically Set-VpnConnectio
Hi,
> > I've also added the "NegotiateDH2048_AES256" DWORD as per this doc:
> > https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
>
> Instead of tweaking the registry, you might rather use the Windows
> Powershell, and specifically Set-VpnConnectionIPsecConfiguration:
> https://
On 24/12/2020 15:34, Alex wrote:
Hi,
The win10 laptop I am using is connected to our internal network on
192.168.1.35. The libreswan server has a public IP (which I've
specified as the endpoint for the win10 client), but also is the
Internet ga
Hi,
Based on my recent experience:
On 12/24/2020 4:41 AM, Alex wrote:
Hi,
Is there documentation available on how to configure
it with libreswan?
Yes, see our libreswan examples on the website.
I followed the examples outlined on this page, including importing the
pkcs12 file with ipsec a
Hi,
> The win10 laptop I am using is connected to our internal network on
> 192.168.1.35. The libreswan server has a public IP (which I've
> specified as the endpoint for the win10 client), but also is the
> Internet gateway for the win10 client as 192.168.1.1. Is it possible
> to connect to the l
On 24/12/2020 03:41, Alex wrote:
Hi,
Is there documentation available on how to configure
it with libreswan?
Yes, see our libreswan examples on the website.
I followed the examples outlined on this p
Hi,
> > Is there documentation available on how to configure
> > it with libreswan?
>
> Yes, see our libreswan examples on the website.
I followed the examples outlined on this page, including importing the
pkcs12 file with ipsec and building an ipsec.conf for the VPN server.
https://libreswan.or
On Dec 22, 2020, at 10:08, Alex wrote:
>
> Hi,
>
> I have a libreswan-4.1 install on fedora32 and would like to connect
> some remote road warriors with Windows clients so I may connect them
> to the corporate network to access our asterisk phone system.
Please upgrade to the latest 4.2rc1 tha
27 matches
Mail list logo
